diff options
| author | Brian Warner <warner@lothar.com> | 2018-06-03 13:57:19 -0700 |
|---|---|---|
| committer | Brian Warner <warner@lothar.com> | 2018-06-03 14:56:20 -0700 |
| commit | 0869881573ec805ec2337469ed5c4184cb0382e2 (patch) | |
| tree | f9d3b91ddad329910a6ec0ea9693d25616af4651 /srp/src | |
| parent | 9bd20219ac9d6727a4b99cf6dd48e44b3190c6c9 (diff) | |
| download | PAKEs-0869881573ec805ec2337469ed5c4184cb0382e2.tar.xz | |
use newtypes for Password and Identity to avoid usage errors
This a breaking API change. The next release should bump the minor version
number.
As discussed in https://github.com/warner/spake2.rs/issues/3 and
https://github.com/warner/magic-wormhole.rs/issues/32 , if an application
were to accidentally swap the "password" and "identity" arguments (mainly for
start_symmetric which only takes two args), the app would appear to work, but
would contain a devastating security vulnerability (online brute-force
password attack, with precomputation enabled).
You might think of newtypes as giving the API named parameters. Instead of:
`s = start_symmetric(b"pw", b"appid")`
you get:
`s = start_symmetric(&Password::new(b"pw"), &Identity::new(b"appid"))`
but it protects you (with a compile-time error) against mistakes like:
`s = start_symmetric(&Identity::new(b"appid"), &Password::new(b"pw"))`
I'd like to find a way to remove requirement to pass a reference (and enable
`start_symmetric(Password::new(..)..)`).
Diffstat (limited to 'srp/src')
0 files changed, 0 insertions, 0 deletions